SANS Digital Forensics and Incident Response Blog

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect's USB stick that you didn't get looked like? Read on!

The data is stored as binary blobs under the following registry keys:

HKCU\Software\Microsoft\Windows\Shell\BagMRU

HKCU\Software\Microsoft\Windows\Shell\Bags

HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU

HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags

Back in December of 2004, a guy named Michal Mutl of MiTeC, in collaboration with Allen S. Hay of the Northumbria Police, produced a program to interpret these values. The program was enhanced over the following year to do a number of other things such as:

Decrypt ROT13 User Assist Keys

Parse the Streams MRU

Output the Access time of files or folders plusthe attributes of the files or folders contained within.

The program, Windows Registry Analyzer (WRA), was provided free of charge (per it's included license agreement) from MiTeC's web site until they were acquired by Paraben. After much dedicated searching (Google is your friend!) I found the last publicly released version (1.5.2) in the Internet archive at bibalex. I'd be unfair to Paraben if I didn't mention that they're now selling a descendent of this program, Registry Analyzer v1.0, for a nominal charge of $129.

Here's where I found the reference to the first of the mirrored copies that I ultimately discovered.

And here's a reference to where I read about this first (sorry to those who don't have Guidance forum access).

I was just about to give up on being able to easily provide complete details on how WRA works its magic decoding-fu. Once upon a time, this information was available here, but that's gone since Paraben acquired MiTeC. Just as I was about to upload this article, however, I thought to try feeding the above URL into the bibalex archive where I'd found the zip file. Isn't the Internet grand?

I'd repeat the salient bits here, but they run to several pages, and Allen Hay did a good job illustrating the explanation anyway, so check it out there.

I'd already submitted this article for review, but I pulled it back for revision when found some more cool bits that deserve mention. The tool and paper referenced above actually document some other registry keys as well:

HKCU\Software\Microsoft\Windows\Currentversion\Explorer\StreamMRU

HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Streams

These keys contain information similar to that found in ShellBags. Both ShellBags and StreamMRU also include a snapshot of file/folder MACtime data.

An even cooler facet of this is that Windows Restore Points archive copies of NTUSER.DAT which can be opened with this tool. So you can potentially browse through a significant amount of historical file/folder data. As there are a limited number of these entries (According to this page, by default there are 28 StreamMRUs and according to this page, there are 200 local folder bags entries and 200 network folder bags entries) these entries will cycle through, and different restore points may contain different data. There would appear to be some overlap in the functioning of these two registry mechanisms, but it's not clear to me how this is resolved.

Additionally, the Registry Analyzer tool decodes several other registry keys/values, including ProgramsCache (can't find a reference, sorry) and Userassist.

I also downloaded the demo of the current version from Paraben, and a cursory examination shows no significant differences from the free version.

If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

5 Comments

keydet89

cpldbc

It's ironic. I have been trying to link an external drive to a laptop for quite some time now. I finally located the proof I needed through the ShellNoRoam key, showing that the folder had been altered on the external drive, through the laptop.I just finished looking up all of the same BagMRU info on Wednesday, and then read your synopsis on Friday. Felt like deja vu on Halloween.Nice work. -dc

johnmccash

keydet89 ''" There are links in the text which point to the downloadable tool and several references. specifically:Tool: http://web.archive.bibalex.org/web/20050212140945/http:/www.mitec.cz/Downloads/WRA.zipRegistry key formats: http://web.archive.bibalex.org/web/20050529130051/www.mitec.cz/Downloads/WRA+Guidance.pdfOther references:http://ubcd4win.com/forum/index.php?act=Print&client=printer&f=16&t=6655https://support.guidancesoftware.com/forum/showthread.php?t=22901http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=243http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=310http://support.microsoft.com/kb/235994http://support.microsoft.com/kb/813711/en-ushttp://blog.didierstevens.com/programs/userassist/I hope this helps you. John

johnmccash

One more thing I neglected to mention. Neither the free nor the commercial version of the Registry Analyzer will run under 64bit Windows, even in 32bit mode. I complained to Paraben about this, and they replied that 64bit support will be added in a future release. No date is yet available for that, of course.

Fifth.Sentinel

I was looking into Shell Bags yesterday. I came across this reference also that has a decent overview of Shell Bags.http://42llc.net/index.php?option=com_myblog&task=tag&category=Shell+Bags&Itemid=39Fifth.Sentinel

"Rob is great, just like all of the other SANS instructors I've had."- Chris O'Keefe, The Community Preservation Corp

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue

"Rob Lee is a master of the subject matter. The material is presented in a way that is understandable. Rob is also charismatic enough to make the course enjoyable."- Erik Ketlet, JP Morgan Chase